1. Introduction
XamPro, a proprietary software platform owned and operated by EduSoft LTD, is designed to facilitate examination proctoring and associated administrative services for UK-based schools and colleges. This Privacy Policy governs the collection, processing, and storage of personal data in accordance with applicable legal standards and regulatory obligations.
For the purposes of UK GDPR, EduSoft LTD acts as the Data Processor, while schools and local education authorities act as the Data Controllers. All schools must sign an explicit Data Processing Agreement (DPA) with EduSoft LTD before using XamPro, thereby consenting to the processing of personal data as described in this policy.
2. Legal Basis for Processing
We collect and process personal data under the following legal bases as set out in Article 6 of the UK GDPR:
- Legitimate Interests: Processing is necessary to deliver our examination proctoring and SMS services to educational institutions.
- Public Task: Schools and colleges act in the public interest when using our services.
- Contractual Obligation: Data processing is required for fulfilling contractual agreements between EduSoft LTD and the educational institution.
3. Categories of Data Collected
The following categories of data are collected and processed by XamPro:
3.1 School and Staff Data
| Data Category | Purpose & Legal Justification |
|---|---|
| School Name | Required for identification and administrative purposes. |
| DfE Number | Ensures correct linkage with national education databases. |
| Primary Contact Information | Used for official communication and support requests. |
| Local Authority | Used for regulatory reporting and compliance. |
| Staff Title | Used to define the role of staff members within the institution. |
| Legal Forename & Surname | Required for staff identification and account creation. |
| Email Address | Used for authentication, account recovery, and communication. |
| Job Designation | Required to assign appropriate user roles and permissions. |
3.2 Student Data
| Data Category | Purpose & Legal Justification |
|---|---|
| Unique Pupil Number (UPN) | Required for uniquely identifying students and ensuring accurate record-keeping. |
| Admission Number (AdNo) | Used internally by schools to maintain admission records. |
| Legal Forename & Surname | Essential for student identity verification and linking to examination results. |
| Date of Birth | Ensures eligibility for age-restricted examinations and prevents duplicate records. |
| Gender | Used for statistical reporting and compliance with examination board requirements. |
| Admission & Leavers Date | Ensures accurate records for active and former students. |
4. Data Sharing and Security
EduSoft LTD does not sell or share personal data with third parties. However, data is shared in the following limited circumstances:
- With SMS Service Providers: For schools using the SMS module, only the message content and recipient contact details (mobile/landline number) are shared with UK ICO-compliant SMS gateway providers.
- Legal Compliance: We may disclose data where legally required, such as to law enforcement agencies or regulatory bodies.
Data security measures include:
- All passwords stored using SHA-2 hashing with salting.
- Data hosted on UK-based Amazon AWS servers with full Data Protection Act 2018 compliance.
- Data transmission secured via Cloudflare web application filtering and load balancing.
- End-to-end SSL encryption for all transmitted data.
- Mandatory Two-Factor Authentication (2FA) for all system users (excluding students using access codes).
- Strict password policy: minimum 8 characters, at least one special character, no password reuse.
5. Data Retention & Deletion
- Data is stored for the duration of the school's active subscription.
- Upon subscription termination, data is retained for 31 days before permanent deletion.
- Schools may request data deletion at any time via a formal support request.
- Schools may request a copy of their data with written consent from the headteacher.
6. Changes to This Policy
EduSoft LTD reserves the right to update this Privacy Policy to reflect legal or regulatory changes. Any significant changes will be communicated to schools via email to registered primary contacts and through system announcements within XamPro. Continued use of XamPro after changes take effect constitutes acceptance of the revised policy.
7. ICO Registration
EduSoft LTD is registered with the Information Commissioner's Office (ICO) under registration number ZB799468, ensuring compliance with UK GDPR and the Data Protection Act 2018.
8. Contact Information
For privacy-related enquiries, please contact us:
Email: info@xampro.co.uk
If your concern is unresolved, you may escalate to the ICO: www.ico.org.uk
9. Revision History
- Revision 1.0.2 — 15 February 2025: Corrected broken hyperlink; Clause 4 revised to include SMS provider data sharing information.